2.
Vulnerability Information

3.
Vulnerability Description

Several cross-site scripting vulnerabilities
were found in the following files/urls of the
Sun Java System Communications Express
[1] :

https://<server>/uwc/abs/search.xml?

http://<server>/uwc/base/UWCMain

Cross-site scripting (XSS) vulnerabilities
[2],
[3] allow an attacker to execute
arbitrary scripting code in the context of the user browser (in the
vulnerable application's domain). For example, an attacker could exploit
a XSS vulnerability to steal user cookies (and then impersonate the
legitimate user) or fake a page requesting information to the user
(i.e. credentials). This vulnerability occurs when user-supplied data
is displayed without encoding.

6.
Vendor Information, Solutions and Workarounds

7.
Credits

These vulnerabilities were discovered by the SCS team from Core Security Technologies.

8.
Technical Description / Proof of Concept Code

Cross-Site Scripting (commonly referred to as XSS) attacks are the
result of improper encoding or filtering of input obtained from
untrusted sources. Basically, they consist in the attacker injecting
malicious tags and/or script code that is executed by the user's web
browser when accessing the vulnerable web site. The injected code
then takes advantage of the trust given by the user to the vulnerable
site. These attacks are usually targeted at all users of a web application
rather than at the application itself (although one could say that the users
are affected because of a vulnerability of the web application).
The term 'cross-site scripting' is also sometimes used in a broader-sense
referring to different types of attacks involving script injection into
the client. For additional information, please look at the references
[2],
[3],
[4],
[5] and
[6].

8.1.
Vulnerability #1 - XSS (BID 34154, CVE-2009-1729)

Cross-site scripting vulnerabilities were found in the following
file/url:

https://<server>/uwc/abs/search.xml?

This is part of the 'Personal Address Book->Add contact'
functionality. Although the affected URL is originally accessed
through a POST request, this vulnerability can be exploited both with
a GET and with a POST request.

Using the following variables:

abperson_displayName

The contents of the variables previously mentioned are not being
encoded at the time of using them in HTML output, therefore allowing
an attacker who controls their content to insert javascript code.

8.2.
Vulnerability #2 - XSS (BID 34155, CVE-2009-1729)

Cross-site scripting vulnerabilities were found in the following
file/url:

http://<server>/uwc/base/UWCMain

The contents of the url are not being encoded at the time of using
them in HTML output, therefore allowing an attacker who controls their
content to insert javascript code.

This vulnerability can be exploited through a GET request, and the user
does not need to be logged into the web application. This makes this
cross-site scripting vulnerability perfect to be used by attackers on
email-based attacks. An attacker can send via email a link to a
'calendar' and 'exploit' the victim.

9.
Report Timeline

2009-01-09:Core Security Technologies notifies Sun Security Coordination Team of the vulnerability,
setting the estimated publication date of the advisory to Feb 2nd.
Technical details are sent to Communications Express team.

2009-01-09:

The vendor acknowledges reception of the report and asks Core to
postpone publication of the security advisory in order to have enough
time to investigate and fix the bugs.
Vendor requests GPG key of Core's security Advisories team.

2009-01-12:

Core agrees to postpone the advisory publication but asks
the vendor for a feedback of their engineering team
as soon as possible in order to coordinate the release date of fixes
and security advisories.

2009-01-21:

Core asks the vendor an estimated
date for the release of patches and fixes.

2009-01-21:

Sun Security Coordination Team notifies Core that the vendor's
engineering team is hoping to have patches released sometime near
the end of February or the beginning of March.
The time-frame is tentative due to the vendor's QA testing process
that includes testing of all patches which may include fixes to
bugs unrelated to those reported by Core.

2009-02-06:

Core re-schedules the advisory publication date to Feb 25th.
Updated timeline sent to the vendor requesting confirmation
that patches will be released by then.

2009-02-16:

The vendor asks Core to delay the advisory
publication until the end of March, in order to finish a rigorous
process of internal testing.

2009-02-16:

Core re-schedules the advisory publication date to March 30th.
Core indicates that it would appreciate further technical
details about the flaws from the vendors engineering team.

2009-02-17:

Vendor acknowledges previous email.

2009-03-17:

Core reminds the vendor that the publication of the advisory is
scheduled for March 30th. Core also requests updated information
about the development and release of fixed versions.

2009-03-23:

Vendor confirms that it is on track to have the fix ready
for publication at the end of this month, March 30th, and provides
a list of affected products and versions.

2009-03-24:

Vendor states that there was a confusion on his end, and that
patches are scheduled to complete testing and to be published on
22nd April 2009. Vendor requests Core to delay publication of
its advisory.

2009-03-25:

Core confirms that the advisory publication is rescheduled
to April 22nd.

2009-04-08:

Sun engineering team informs that they have a fix for other flaw
reported by Core
[7]. This fix is currently
undergoing Sun standard testing, and vendor expect to be ready to
publish the patch on Monday 20th April 2009.

2009-04-16:

Sun engineering team confirms they are still planning to release the
fix for
[7] on 20th April 2009.

2009-04-17:

Core ask Sun engineering team for the vulnerability reported
in this advisory (Sun Communication Express). Core requires
an estimated date for the release of patches and fixes.

2009-04-20:

Sun engineering team informs that the issue which affects Communications
Express is planned for publication later in the week.
The vendor will get back to Core with a more final date once
they have confirmed the details.

2009-04-22:

Sun engineering team informs that the fix related to Communications
Express is currently undergoing internal testing and they expect
to be ready to publish the fixes and the sun alert on 6th May 2009.

2009-04-29:

Core re-schedules the advisory publication date to 6th May 2009,
asks Sun for an URL of the corresponding Sun alert and a list
of non-vulnerable packages.

2009-05-05:

Sun engineering team informs that they are experiencing some difficulties
related to the final release stages of the fix for this bug. The vendor
will not be ready to go public with this fix tomorrow.

2009-05-05:

Core responds that it is possible to postpone the publication of the
advisory, but asks Sun engineering team for an estimated date to reach
the final release of the fix as soon as possible.

2009-05-08:

Sun engineering team informs they are still experiencing some
delays with the final stages of this release process and
asks to delay the publication of the advisory.

2009-05-18:

Sun engineering team confirms that they have resolved
the outstanding issues related to this vulnerability
and they expect to be ready to publish the fixes
on Wednesday 20th May.

11.
About CoreLabs

CoreLabs, the research center of Core Security Technologies, is charged with anticipating
the future needs and requirements for information security technologies.
We conduct our research in several important areas of computer security
including system vulnerabilities, cyber attack planning and simulation,
source code auditing, and cryptography. Our results include problem
formalization, identification of vulnerabilities, novel solutions and
prototypes for new technologies. CoreLabs regularly publishes security
advisories, technical papers, project information and shared software
tools for public use at:http://www.coresecurity.com/corelabs.

12.
About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious
organizations worldwide develop and maintain a proactive process for
securing their networks. The company's flagship product, CORE IMPACT, is
the most comprehensive product for performing enterprise security
assurance testing. CORE IMPACT evaluates network, endpoint and end-user
vulnerabilities and identifies what resources are exposed. It enables
organizations to determine if current security investments are detecting
and preventing attacks. Core Security Technologies augments its leading technology solution
with world-class security consulting services, including penetration
testing and software security auditing. Based in Boston, MA and Buenos
Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web
at http://www.coresecurity.com.

13.
Disclaimer

The contents of this advisory are copyright (c) 2009 Core Security Technologies and
(c) 2009 CoreLabs, and may be distributed freely provided
that no fee is charged for this distribution and proper credit is given.